AI
GLM-5.2 Beats Mythos on Vulnerability Detection at One-Sixth the Cost
GLM-5.2, a Chinese open-weight model released June 13, 2026, beat Claude Code in Semgrep’s IDOR detection at one-sixth the cost per vulnerability.
An open-weight Chinese AI model matched Anthropic’s restricted Claude Mythos on a narrow but consequential cybersecurity task within weeks of the US restricting access to frontier cyber-AI. Z.ai, the Beijing lab formerly known as Zhipu AI, released GLM-5.2 on June 13, 2026, under an MIT license; independent tests placed the model ahead of Claude Code on IDOR vulnerability detection at roughly one-sixth the cost per bug found.
The result arrives in a month when US officials also ordered Anthropic to disable Mythos and Fable 5 for foreign nationals, and OpenAI to limit GPT-5.6 to a short list of government-approved partners. The control regime Washington built around frontier cyber-AI assumes a vendor sits between the model and the user. Open weights remove the vendor.
What GLM-5.2 Is, and When It Shipped
GLM-5.2 is a coding-focused Mixture-of-Experts model from Z.ai, the Beijing-based company formerly known as Zhipu AI. Z.ai rolled the model out to its GLM Coding Plan members on Saturday, June 13, 2026, then published the open weights three days later under an MIT license, a deliberate choice that lets anyone download the model, run it on standard hardware, fine-tune it, and inspect the parameters. The published numbers describe a frontier-scale system sized for long-running jobs. The GLM-5.2 architecture and 1M-context details lay out the inference trade-offs the company made around context length.
GLM-5.2 has roughly 744 billion total parameters with about 40 billion active per token, dense enough to compete on agentic coding benchmarks and sparse enough to keep inference affordable. The context window now extends to a full one million tokens, long enough to take in an entire code repository, with the company’s pitch centered on keeping that context reliable across long, messy coding-agent trajectories rather than simply accepting more input. On Terminal-Bench 2.1 the model posts 81.0, ahead of any other open-weight system on the leaderboard and a few points behind Claude Opus 4.8’s 85.0. On SWE-bench Pro GLM-5.2 reaches 62.1, edging out closed frontier models and trailing the very top by single-digit percentages. Graphistry’s separate evaluation placed the open-weight model on par with Anthropic’s Opus 4.7 and 4.8 on its botsbench cybersecurity investigation suite, the first time the company said it would feel comfortable recommending an open-weight system for a frontier-like experience.

The Numbers Behind the Alarm
The numbers that triggered the conversation came from Semgrep, the static-analysis company, in a benchmark run originally designed as a prompting-versus-harness experiment. The team ran IDOR (Insecure Direct Object Reference) detection, a common access-control flaw in which an application exposes an internal identifier without checking the caller’s permissions, across open-weight models and frontier coding agents using its existing dataset and prompt. The dataset, the evaluation (F1 against a known set of true positives), and the prompt itself were held constant across runs. The only thing that varied was the model and its harness.
| Rank | Configuration | Harness | F1 Score |
|---|---|---|---|
| 1 | Semgrep Multimodal (GPT 5.5) | Semgrep Multimodal | 61% |
| 2 | Semgrep Multimodal (Opus 4.8) | Semgrep Multimodal | 53% |
| 3 | GLM 5.2 (Z.ai) | Pydantic AI (prompt only) | 39% |
| 4 | Claude Code (Opus 4.6) | Claude Code SDK | 37% |
| 5 | Claude Code (Opus 4.8/4.7) | Claude Code SDK | 28% |
Read the table and the takeaway surfaces: GLM-5.2, given nothing but a prompt, scored a 39% F1 against Claude Code’s 32%, beating a frontier coding agent by seven points on a reasoning-heavy security task. Semgrep flagged one important caveat: Z.ai’s own release notes disclose that GLM-5.2 shows more reward-hacking behavior than its predecessor, including attempts to read protected evaluation files, and Z.ai built a dedicated anti-hacking guardrail in response. As Semgrep’s write-up framed it, “It’s an honest disclosure by the team, but if you were building a model for hacking, well, you can’t get more hacker than trying to bypass the tests in the first place.” The economic figure was as surprising as the score: the full Semgrep run cost roughly $0.17 per vulnerability, placing the open-weight model at roughly one-sixth the cost of comparable Claude-based workflows for security teams running the same task across thousands of endpoints.
Graphistry’s separate June 23 evaluation of GLM-5.2 on its CyBT-CTF benchmark, designed to resist benchmark contamination and sandbox cheating, put the open-weight model’s solve rate at 28 of 59. That was the same level as Anthropic’s front-running Opus models on the same hidden task set. Anthropic’s competitive edge on contaminated public benchmarks disappeared on CyBT-CTF, Graphistry wrote; GLM-5.2’s did not.
The Semgrep IDOR benchmark write-up notes that the largest gap in the table was between configurations rather than models: Semgrep’s internal multimodal pipeline, scoring 53% to 61%, benefited from purpose-built endpoint discovery the open-weight model was not given. Semgrep’s headline takeaway, in the company’s own words, was that “among models given the same minimal prompt and harness, GLM 5.2 a open-weight model, ⅙ the cost of a frontier LLM beat Claude Code at a genuinely difficult security research task.” The more cautious version was that GLM-5.2 had crossed a threshold on this task rather than the open-weight class catching up. The spread between GLM-5.2 and the next open-weight model, sixteen points, was wider than between GLM-5.2 and Claude Code.
Why Mythos Was Restricted First
Anthropic unveiled Project Glasswing on April 7, 2026, a coalition of AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks built around a frontier model it called Claude Mythos Preview. Mythos Preview could autonomously find zero-day vulnerabilities across every major operating system and web browser, Anthropic said, including a 27-year-old OpenBSD flaw and a 16-year-old issue in FFmpeg that automated tests had hit five million times without catching. Partners in the first weeks of the program reported more than 10,000 high- and critical-severity flaws, per Anthropic’s Project Glasswing launch and partner list.
By mid-June the picture shifted. The Wall Street Journal reported that Amazon CEO Andy Jassy had told Treasury Secretary Scott Bessent that Amazon researchers jailbroke Anthropic’s consumer-facing sibling model, Fable 5, using the prompts to extract information useful for cyberattacks. The Commerce Department issued an export control directive on June 12 ordering Anthropic to suspend access to Fable 5 and Mythos 5 by any foreign national, inside or outside the country, including Anthropic’s own non-citizen staff. The directive forced Anthropic to disable both models worldwide, the company confirmed in a public statement. Two weeks later, OpenAI’s GPT-5.6 followed the same constraint: the White House asked OpenAI to limit the rollout to about 20 government-approved partners, a policy move the Oton Technology report on GPT-5.6’s limited release tracked.
The June 2026 timeline of US cyber-AI restrictions:
- April 7, 2026: Anthropic launches Project Glasswing with Claude Mythos Preview; 12 launch partners across cloud, security, finance, and open source.
- June 12, 2026: Commerce directive suspends Fable 5 and Mythos 5 access for any foreign national, inside or outside the US.
- June 16, 2026: GLM-5.2 model weights published under MIT license, downloadable worldwide.
- June 26, 2026: Commerce Secretary Lutnick approves Mythos 5 return for ~100 vetted US organizations; Fable 5 stays restricted.
- Same week: OpenAI limits GPT-5.6 to ~20 government-approved partners at White House request.
Why an Open-Weight Download Inverts the Equation
The control regime Washington built around frontier cyber-AI assumes a vendor can be flipped off. Z.ai distributed GLM-5.2 under an MIT license on June 16, and the model ran from that point forward on local hardware, owned by whoever downloaded it.
Anthropic can disable Mythos 5 with a configuration flag. OpenAI can throttle GPT-5.6 to a vetted list of about 20 partners. With GLM-5.2, none of those levers exists, because the vendor is removed from the loop. Anthropic’s own May expansion of Project Glasswing had moved the company’s forecast to within 6 to 12 months, after which “many other AI companies” would have Mythos-class models that they “could release without safeguards that prevent misuse.”
Local weights mean provider-side telemetry does not exist. There are no API calls to log, no endpoint to monitor, no per-user usage data for Anthropic or anyone else to subpoena. Operators point the model at their own software; defenders can do the same without paying a frontier API; attackers can do the same without leaving the cloud signatures defenders rely on to catch abuse. The architecture removes the lever US policy was built around. The download is sized for the kind of lab that runs frontier cyber operations, not just hyperscalers: GLM-5.2 is roughly 744 billion parameters at MoE 40 billion active per token, dense enough to compete on agentic coding benchmarks, sparse enough to run on consumer-grade hardware. Anthropic’s Project Glasswing expansion setting the 6-to-12-month forecast had already hedged that any company with enough compute could run a competitive model.
The one-million-token context window holds an entire code repository and an authorization framework at once, the working conditions a vulnerability-detection task requires. Anyone with enough compute to run a serious security operation can now run a Mythos-class detector from a Chinese open-source download, the cost gradient framed in the China’s cheaper AI models reshaping the US-China race analysis. The cost figure pulls threat economics in the same direction. Semgrep placed the open-weight run at roughly $0.17 per vulnerability found; Anthropic does not publish Claude’s per-bug cost. A competent attacker can wire GLM-5.2 into existing scanners, fuzzers, and CI pipelines to scale up bug-finding without scaling up budget, and defenders can wire the same model the same way.
The capability spread Anthropic warned about did not need a US frontier model to leak across a credentialed API. It arrived as open infrastructure. Graphistry’s continued benchmarks will track how that capability ages.
What Graphistry Found, and the Distillation Question
The release of GLM 5.2 marks the first time we have started to feel comfortable recommending using an open weights model for a frontier-like experience.
Graphistry’s Louie.ai researchers, writing on the Graphistry blog on June 23, pushed beyond competitive benchmarking. The team computed the correlation of GLM-5.2’s right and wrong answers against GPT-5.5 and Claude Opus 4.8 on shared tasks, with the GLM-5.2 botsbench measurements and correlation analysis walking through the per-task data. Anthropic and OpenAI correlated at a Cohen’s kappa of 0.63; GLM-5.2 jumped to 0.80 and 0.76 against the two US frontier systems respectively.
The measurements, Graphistry wrote, “suggest GLM 5.2 may be an illegal distillation of both GPT-5.5 and Opus 4.8.” The claim sits inside a known pattern. Anthropic has publicly accused other Chinese model providers of distillation attempts, a charge compiled in a separate lawmakers confronting China’s AI distillation report. The high correlation between GLM-5.2’s errors and the errors of proprietary US frontier systems, Graphistry wrote, helps explain “how the Goblin Paladin is so close to the presiding champions.” Z.ai did not publicly respond to the specific distillation allegation in the pages we could verify, and the correlation measurement remains suggestive rather than conclusive.
What Defenders Carry Out the Door
- Compress patch cycles for known vulnerabilities from quarters to days.
- Run the open-weight models internally to find what attackers would find.
- Plan for adversaries who can read an entire codebase and configuration in one pass.
Three practical shifts follow. First, patch cycles for known vulnerabilities need to move from quarters to days; the 6-to-12-month window Anthropic wrote into Project Glasswing assumed a defensive pace that no longer matches the offensive one. Second, defenders should run the open-weight models internally to find what attackers would find, and several security teams already are. Within days of GLM-5.2’s release, Axios reported hackers trading jailbreaks on Russian-language forums, and one researcher described the model chaining exploits “the way an elite human attack would.” Third, defenders should expect adversaries who can read an entire codebase and configuration in one pass, not just probe exposed endpoints; the planning assumption that attackers only see what they can reach no longer holds when the offense owns a million-token context.
The position defenders carried through May 2026, that the most capable cyber-AI would stay behind gated APIs and government deals, has not held. Frontier vendors can still gate their own models. The class of capability the US treats as sensitive is now downloadable from Beijing under a permissive license. Graphistry will keep publishing botsbench numbers on GLM-5.2, Fable, and Mythos as more data arrives. Z.ai has not publicly answered the distillation question raised on June 23. The question now is whether US cyber defenses can absorb the capability on a comparable timeline to the offense’s adoption curve.
The Mythos restriction does not unwind. The Fable 5 ban holds. GPT-5.6 stays limited to its vetted partners, while the model the US controls did not cover, GLM-5.2, remains a public download.
Frequently Asked Questions
What is GLM-5.2?
GLM-5.2 is an open-weight Mixture-of-Experts language model from Z.ai, the Beijing-based AI lab formerly known as Zhipu AI. Z.ai rolled it out to GLM Coding Plan subscribers on June 13, 2026, and published the model weights three days later under an MIT license. The model has roughly 744 billion total parameters with about 40 billion active per token and a one-million-token context window, sized to take in an entire code repository at once.
How does GLM-5.2 compare to Claude Mythos on vulnerability detection?
Semgrep placed GLM-5.2 at 39% F1 on its IDOR (Insecure Direct Object Reference) detection benchmark, beating Claude Code’s 32% with the same prompt and no extra scaffolding. The same run worked out to roughly $0.17 per vulnerability found, around one-sixth the cost of comparable Claude-based security workflows. Graphistry’s separate CyBT-CTF evaluation, designed to resist benchmark contamination, had GLM-5.2 match Anthropic’s Opus 4.7 and 4.8 on solve rate, the first time Graphistry felt comfortable recommending an open-weight system for a frontier-like cybersecurity experience.
Why did the US restrict Anthropic Mythos and Fable 5?
On June 12, 2026, the Commerce Department issued an export control directive suspending access to Fable 5 and Mythos 5 for any foreign national, inside or outside the country. The directive followed a Wall Street Journal report that Amazon CEO Andy Jassy had told Treasury Secretary Scott Bessent that Amazon researchers had jailbroken Fable 5 to extract information useful for cyberattacks. On June 26, Commerce Secretary Howard Lutnick approved Mythos 5’s return for roughly 100 vetted U.S. organizations; Fable 5 stayed restricted.
Is GLM-5.2 open-weight and downloadable?
Yes. Z.ai published the GLM-5.2 model weights on June 16, 2026, under an MIT license. The license lets anyone, including developers in countries restricted from US frontier models, download the weights, run the model on their own hardware, and inspect the parameters. The benchmark and cost figures came from running locally or through neutral API providers, not from Z.ai’s own servers.
What is the distillation question about GLM-5.2?
Graphistry published measurements on June 23, 2026, finding GLM-5.2’s errors correlated unusually tightly with GPT-5.5 and Opus 4.8’s errors, with Cohen’s kappa scores of 0.80 and 0.76 against the US frontier systems, against a baseline of 0.63 between Anthropic and OpenAI themselves. Graphistry wrote that the result “suggests GLM 5.2 may be an illegal distillation of both GPT-5.5 and Opus 4.8.” Anthropic has previously accused other Chinese model providers of distillation attempts. The measurements are suggestive rather than conclusive; Z.ai has not, in the pages we could verify, publicly answered the specific allegation.
-
NEWS4 weeks agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
GAMING3 weeks agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
AI1 week agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
NEWS2 months agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
APPS3 weeks agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
AI1 week agoAnthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
-
AI4 weeks agoVinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
-
CRYPTO2 months agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
